June 13, 2018

Subscribe

Prominent U.K. mobile technology retailer Dixons Carphone has been the victim of a massive data hack, in which payment details stored by 5.9 million customers were accessed illegally. The payment data was stored in the processing system of Currys PC World and Dixons Travel stores, the latter of which operates in airports.

Dixons Carphone said 5.8 million cards accessed were protected by chip-and-PIN payment protection, and the important card verification value number (CVV) printed on the back of payment cards was not stored, leaving the majority of customers free from immediate worry. However, the remaining 105,000 cards accessed in the hack were cards not issued in Europe and did not have chip-and-PIN protection. These cards were likely used at Dixons Travel stores by airport visitors, but Dixons Carphone says it hasn’t found evidence of fraud in these either.

Steps to avoid any payment fraud have already been taken by the group, and relevant card companies have been informed of the breach, helping to minimize the chances of further problems. In addition to the payment details, the names, addresses, and email addresses of 1.2 million people in the firm’s database had been accessed. The company says this information has not been used fraudulently, but is contacting affected customers nonetheless.

The company has been investigating the breach since July 2017, according to the BBC, indicating a considerable gap between discovering the security problem and the subsequent public announcement. The hack was discovered during a review of its systems and data, according to the firm’s statement on the matter, and it reassures customers the security holes have been closed and there has been no evidence of further snooping.

It’s not the first time the group has had security problems. In 2015 an attack on Carphone Warehouse left the details of 2.4 million customers exposed, along with the payment data of 90,000 people. It was subsequently fined 400,000 British pounds/$533,000 by the Information Commissioners Office (ICO) in 2018 — one of the largest fines it has issued. Retailer Dixons merged with Carphone Warehouse in 2014.

At the time, ICO commissioner Elizabeth Denham said: “A company as large, well-resourced, and established as Carphone Warehouse, should have been actively assessing its data security systems, and ensuring systems were robust and not vulnerable to such attacks.” We’d expect it to pay considerable attention to this second, more serious breakdown in security at the company.